Subject: StatementThe sender domain varies. Attached is a ZIP file with a name similar to Statement PDF - 56765041263.zip which in turn contains a malicious WSF script (like this) named in a format similar to SLM245260-0214.wsf.
From: accounts@somedomain.tld
Date: Tuesday, 8 November 2016, 10:59
For your Information.
Hybrid Analysis of this one sample shows a download occurring from:
gpstrackerbali.com/67j5hg?LzQWruaaLHv=dIYfuCrkfcG
There will no doubt be many other locations, if I get more information then I will post it here. The script drops a DLL with a detection rate of 14/56 and the malware appears to phone home to:
185.118.66.90/message.php (vpsville.ru, Russia)
158.69.223.5/message.php (OVH, Canada)
Recommended blocklist:
185.118.66.90
158.69.223.5
No comments:
Post a Comment